From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6987EFBE6 for ; Mon, 11 Sep 2023 14:35:14 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E0441C433C8; Mon, 11 Sep 2023 14:35:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1694442914; bh=aE7fASXhDPDw/UVu0VYlqZvqkDFY7GvtKUsvOeqnwB8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=to03pe4c32yQGfsvVdyBjoL7jGyf1MK77/giUvz2m0SJf640WjaFzB08rCeQX3IZX ZcLYt2iulDoY6VoM5Cdyw08kU23IDZYeA1NIPE9OI3SqBFWOXUe8wBqT84Hd+fqoAZ n3ptaS4qku0xZVBUv0ZFNEWW8Y1bW0bomwFzCM4A= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Florent Revest , syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com, syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com, Herbert Xu , Sasha Levin Subject: [PATCH 6.4 193/737] crypto: api - Use work queue in crypto_destroy_instance Date: Mon, 11 Sep 2023 15:40:52 +0200 Message-ID: <20230911134655.984733737@linuxfoundation.org> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20230911134650.286315610@linuxfoundation.org> References: <20230911134650.286315610@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Herbert Xu [ Upstream commit 9ae4577bc077a7e32c3c7d442c95bc76865c0f17 ] The function crypto_drop_spawn expects to be called in process context. However, when an instance is unregistered while it still has active users, the last user may cause the instance to be freed in atomic context. Fix this by delaying the freeing to a work queue. Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns") Reported-by: Florent Revest Reported-by: syzbot+d769eed29cc42d75e2a3@syzkaller.appspotmail.com Reported-by: syzbot+610ec0671f51e838436e@syzkaller.appspotmail.com Signed-off-by: Herbert Xu Tested-by: Florent Revest Acked-by: Florent Revest Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin --- crypto/algapi.c | 16 ++++++++++++++-- include/crypto/algapi.h | 3 +++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/crypto/algapi.c b/crypto/algapi.c index 5e7cd603d489c..4fe95c4480473 100644 --- a/crypto/algapi.c +++ b/crypto/algapi.c @@ -17,6 +17,7 @@ #include #include #include +#include #include "internal.h" @@ -74,15 +75,26 @@ static void crypto_free_instance(struct crypto_instance *inst) inst->alg.cra_type->free(inst); } -static void crypto_destroy_instance(struct crypto_alg *alg) +static void crypto_destroy_instance_workfn(struct work_struct *w) { - struct crypto_instance *inst = (void *)alg; + struct crypto_instance *inst = container_of(w, struct crypto_instance, + free_work); struct crypto_template *tmpl = inst->tmpl; crypto_free_instance(inst); crypto_tmpl_put(tmpl); } +static void crypto_destroy_instance(struct crypto_alg *alg) +{ + struct crypto_instance *inst = container_of(alg, + struct crypto_instance, + alg); + + INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn); + schedule_work(&inst->free_work); +} + /* * This function adds a spawn to the list secondary_spawns which * will be used at the end of crypto_remove_spawns to unregister diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h index 016d5a302b84a..bd3a99b0106bf 100644 --- a/include/crypto/algapi.h +++ b/include/crypto/algapi.h @@ -12,6 +12,7 @@ #include #include #include +#include /* * Maximum values for blocksize and alignmask, used to allocate @@ -83,6 +84,8 @@ struct crypto_instance { struct crypto_spawn *spawns; }; + struct work_struct free_work; + void *__ctx[] CRYPTO_MINALIGN_ATTR; }; -- 2.40.1